diff options
author | ian <ian> | 2001-12-15 17:55:07 +0000 |
---|---|---|
committer | ian <ian> | 2001-12-15 17:55:07 +0000 |
commit | e6a01344866b5b008ba9efb7c6d446911b9e1588 (patch) | |
tree | e590c578cc7d82e5d14528cf2c4375e5733b3c80 /ipif | |
parent | f21c3bcf37d069a38980430471fa492e1147cd49 (diff) | |
download | userv-utils-e6a01344866b5b008ba9efb7c6d446911b9e1588.tar.gz |
@@ -7,8 +7,9 @@
* udptunnel-vpn-config.m4 allows global file to override as intended.
* www-cgi passes HTTP_COOKIE header.
* indirect ssh via V_sshinvoke.
+ * userv-ipif config file allows exclusions in network permissions.
- --
+ -- Ian Jackson <ian@davenant.greenend.org.uk> Sat, 15 Dec 2001 17:55:06 +0000
userv-utils (0.2.1) unstable; urgency=low
Diffstat (limited to 'ipif')
-rw-r--r-- | ipif/service.c | 148 |
1 files changed, 111 insertions, 37 deletions
diff --git a/ipif/service.c b/ipif/service.c index 4137794..3a59b2b 100644 --- a/ipif/service.c +++ b/ipif/service.c @@ -59,7 +59,7 @@ * Reads a file which contains lines which are each <config> * items. * - * <gid>,[=]<prefix>/<len>[,<junk>] + * <gid>,[=][-|+]<prefix>/<len>(-|+<prefix>/<len>...)[,<junk>] * * Indicates that <gid> may allocate addresses in the relevant address * range (<junk> is ignored). <gid> must be numeric. To specify a @@ -67,6 +67,13 @@ * specified then the specific subrange is only allowed for the local * endpoint address, but not for remote addresses. * + * More than one range may be given, with each range prefixed + * by + or -. In this case each address range in the rule will + * scanned in order, and the first range in the rule that matches + * any desired rule will count: if that first matching range is + * prefixed by `+' (or nothing) then the rule applies, if it + * is prefixed by `-' (or nothing matches), the rule does not. + * * * * Means that anything is to be permitted. This should not appear in * /etc/userv/ipif-networks, as that would permit any user on the @@ -128,11 +135,12 @@ static const int signals[]= { SIGHUP, SIGINT, SIGTERM, 0 }; static const char *configstr, *proto; static unsigned long localaddr, peeraddr, mtu; +static int localpming, peerpming; static int localallow, peerallow, allallow; static int nexroutes; static struct exroute { unsigned long prefix, mask; - int allow; + int allow, pming; char prefixtxt[ATXTLEN], masktxt[ATXTLEN]; } exroutes[MAXEXROUTES]; @@ -290,12 +298,17 @@ static unsigned long eat_number(const char **argp, const char *what, return rv; } -static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1, - const char *w2, unsigned long p2, unsigned long m2) { +static int addrnet_overlap(unsigned long p1, unsigned long m1, + unsigned long p2, unsigned long m2) { unsigned long mask; mask= m1&m2; - if ((p1 & mask) != (p2 & mask)) return; + return (p1 & mask) == (p2 & mask); +} + +static void addrnet_mustdiffer(const char *w1, unsigned long p1, unsigned long m1, + const char *w2, unsigned long p2, unsigned long m2) { + if (!addrnet_overlap(p1,m1,p2,m2)) return; badusage("%s %08lx/%08lx overlaps/clashes with %s %08lx/%08lx", w1,p1,m1, w2,p2,m2); } @@ -341,35 +354,66 @@ static int addrnet_isin(unsigned long prefix, unsigned long mask, unsigned long mprefix, unsigned long mmask) { return !(~mask & mmask) && (prefix & mmask) == mprefix; } + +/* Totally hideous algorithm for parsing the config file lines. + * For each config file line, we first see if its gid applies. If not + * we skip it. Otherwise, we do + * permit_begin + * which sets <foo>pming to 1 + * for each range. <foo>pming may be 0 if we've determined that + * this line does not apply to <foo>. + * permit_range + * which calls permit_range_thing for each <foo> + * which checks to see if <foo> is inside the relevant + * range (for +) or overlaps it (for -) and updates + * <foo>allow and <foo>pming. + */ + +static void permit_begin(void) { + int i; + localpming= peerpming= 1; + for (i=0; i<nexroutes; i++) exroutes[i].pming= 1; +} + +static void permit_range_thing(unsigned long tprefix, unsigned long tmask, + const char *what, int *tallow, int *tpming, + unsigned long pprefix, unsigned long pmask, + int plus, int *any) { + if (plus) { + if (!addrnet_isin(tprefix,tmask, pprefix,pmask)) return; + if (*tpming) *tallow= 1; + } else { + if (!addrnet_overlap(tprefix,tmask, pprefix,pmask)) return; + *tpming= 0; + } + if (!proto) printf(" %c%s", plus?'+':'-', what); + *any= 1; +} -static void permit(unsigned long pprefix, unsigned long pmask, int localonly) { +static void permit_range(unsigned long prefix, unsigned long mask, + int plus, int localonly) { int i, any; + char idbuf[40]; - assert(!(pprefix & ~pmask)); + assert(!(prefix & ~mask)); any= 0; - if (!proto) fputs(localonly ? "permits-l" : "permits",stdout); - if (addrnet_isin(localaddr,~0UL, pprefix,pmask)) { - if (!proto) fputs(" local-addr",stdout); - any= localallow= 1; - } + permit_range_thing(localaddr,~0UL,"local", &localallow,&localpming, + prefix,mask, plus,&any); + if (!localonly) { - if (addrnet_isin(peeraddr,~0UL, pprefix,pmask)) { - if (!proto) fputs(" peer-addr",stdout); - any= peerallow= 1; - } + permit_range_thing(peeraddr,~0UL, "peer-addr", &peerallow,&peerpming, + prefix,mask, plus,&any); for (i=0; i<nexroutes; i++) { - if (addrnet_isin(exroutes[i].prefix,exroutes[i].mask, pprefix,pmask)) { - if (!proto) printf(" route#%d",i); - any= exroutes[i].allow= 1; - } + sprintf(idbuf,"route#%d",i); + permit_range_thing(exroutes[i].prefix,exroutes[i].mask, idbuf, + &exroutes[i].allow,&exroutes[i].pming, + prefix,mask, plus,&any); } } - if (!proto) { + if (!proto) if (!any) fputs(" nothing",stdout); - putchar('\n'); - } } static void pconfig(const char *configstr, int truncated); @@ -421,14 +465,15 @@ static void pfile(const char *filename) { static void pconfig(const char *configstr, int truncated) { unsigned long fgid, tgid, pprefix, pmask; - int plen, localonly; + int plen, localonly, plus, rangeix, delim; char ptxt[ATXTLEN]; + char whattxt[100]; const char *gidlist; switch (configstr[0]) { case '*': - if (strcmp(configstr,"*")) badusage("`*' directive must be only thing on line"); - permit(0UL,0UL,0); + permit_begin(); + permit_range(0UL,0UL,1,0); return; case '#': @@ -444,28 +489,57 @@ static void pconfig(const char *configstr, int truncated) { badusage("unknown configuration directive"); fgid= eat_number(&configstr,"gid", 0,gidmaxval, ",",0); - if (configstr[0] == '=') { - localonly= 1; - configstr++; - } else { - localonly= 0; - } - eat_prefixmask(&configstr,"permitted-prefix", ",",0, &pprefix,&pmask,&plen); - if (!configstr && truncated) badusage("gid,prefix/len,... spec too long"); - if (!proto) printf(" %5lu,%s/%d: ", fgid, ip2txt(pprefix,ptxt), plen); + if (!proto) printf(" %5lu", fgid); gidlist= getenv("USERV_GID"); if (!gidlist) fatal("USERV_GID not set"); for (;;) { if (!gidlist) { - if (!proto) printf("no matching gid\n"); + if (!proto) printf(" no matching gid\n"); return; } tgid= eat_number(&gidlist,"userv-gid", 0,gidmaxval, " ",0); if (tgid == fgid) break; } - permit(pprefix,pmask,localonly); + + if (configstr[0] == '=') { + localonly= 1; + configstr++; + } else { + localonly= 0; + } + + permit_begin(); + + rangeix= 0; + plus= 1; + switch (configstr[0]) { + case '-': plus= 0; /* fall through */ + case '+': configstr++; + default:; + } + + for (;;) { + sprintf(whattxt, "%s-prefix#%d", + plus ? "permitted" : "notpermitted", + rangeix); + eat_prefixmask(&configstr,whattxt, ",+-",&delim, + &pprefix,&pmask,&plen); + if (!configstr && truncated) + badusage("gid,prefix/len,... spec too long"); + + if (!proto) + printf(" %c%s/%d:", plus?'+':'-',ip2txt(pprefix,ptxt), plen); + + permit_range(pprefix,pmask,plus,localonly); + if (delim==',') break; + + plus= delim=='-' ? 0 : 1; + rangeix++; + } + + putchar('\n'); return; } } |